Carberp Trojan Removes Antivirus Scanners, Other Malware from Host

The latest banking malware Carberp has gone through three versions since it came on the scene last year and continues to add on new features.

A piece of banking malware is evolving more sophisticated capabilities to
stay hidden on victims' PCs, according to several security researchers.
The information-stealing malware Carberp, discovered last October, can steal
a range of data, disguise itself as a legitimate Windows file and remove any
antivirus software installed on the host, according to Seculert. As the latest
banking malware to emerge, it has been changing very rapidly and adding on new
features and capabilities, Seculert said.

Carberp is considered the next big banking threat, alongside SpyEye,
especially since the new Trojan attack kit was becoming the weapon of choice
over Zeus, TrustDefender said. Development
for the Zeus Trojan, the well-known banking Trojan that may have stolen
millions of dollars, appears to have stopped, and the code has been merged
with SpyEye, various researchers said.

Carberp runs on all versions of Windows, including Windows 7, without
needing administrator privileges, according to TrustDefender.
It can register itself as a browser extension in order to constantly monitor
all Web traffic, even the encrypted online banking traffic. It can inject rogue
HTML code into Web pages that can steal data, Seculert
said.
Carberp has gone through three generations, Jorge Mieres, a malware analyst
at Kaspersky Lab, told eWEEK. The first versions of Carberp were very simple
Trojan downloaders that downloaded other pieces of malware, Mieres said. Each
succeeding version has added on sophisticated features.
The second generation incorporated features for managing a command and control
Web-based botnet, Mieres said. Carberp is one of the "largest private
botnets," he said. The kit also contained a small plug-in called "passw.plug,"
which is designed to steal information from more than 90 applications installed
on the infected computer, he said.
The third and current generation added two new components that interfere
with computers' security software. The "stopav.plug" disables the
antivirus software already installed, and "miniav.plug" acts as a
cleaner to remove other pieces of malware, Mieres said. Seculert said the
miniav plug-in can remove well-known malware families including Zeus,
BlackEnergy, Limbo and MyLoader.
Carberp does the cleaning to prevent other malware from interfering with its
activities, according to Seculert.
The latest version of Carberp has updated how it communicates with a
command-and control server. Like most advanced malware, including the highly
sophisticated Zeus, previous versions encrypted that traffic using RC4
encryption and used the same encryption key all the time, Seculert wrote on the
blog. This made things easier for security administrators because intrusion
protection systems could analyze traffic and pick out possible packets using
that key.
The developers have caught on, and now Carberp uses a randomized key that it
registers with the control server. Since the malware uses a different key every
time, it is harder to detect.
The update has also changed Carberp's target. The previous version targeted
banks in the Netherlands
and the United States.
The latest version is targeting users in Russian-speaking markets.
Seculert said Carberp will likely incorporate links to a scanning service in
future versions, similar to SpyEye and other attack kits.
Regardless of which version infected a computer, Carberp collected
information about the host's operating system, browsers and antivirus, said
Mieres. This gives attackers an idea of what kind of antivirus software they
need to evade. Security researchers have long warned that malware developers run
new samples through antivirus software to make sure it can't be detected before
releasing them into the wild.
The other twist is that the collected statistics tell the malware authors
what antivirus needs to be added to the "stopav.plug" so that Carberp
can deactivate it, Seculert said.
The statistics gathered by the botnet, as analyzed by Seculert, showed
Kaspersky Lab's antivirus software had a "74 percent use ratio."